diff --git a/bootstrap.d/11-apt.sh b/bootstrap.d/11-apt.sh index 55f1592..71fbc22 100644 --- a/bootstrap.d/11-apt.sh +++ b/bootstrap.d/11-apt.sh @@ -16,7 +16,11 @@ install_readonly files/apt/sources.list "${ETC_DIR}/apt/sources.list" # Use specified APT server and release sed -i "s/\/ftp.debian.org\//\/${APT_SERVER}\//" "${ETC_DIR}/apt/sources.list" +if [ "$RELEASE" = "bullseye" ] || [ "$RELEASE" = "testing" ] ; then +sed -i "s,stretch\\/updates,testing-security," "${ETC_DIR}/apt/sources.list" +else sed -i "s/ stretch/ ${RELEASE}/" "${ETC_DIR}/apt/sources.list" +fi # Upgrade package index and update all installed packages and changed dependencies chroot_exec apt-get -qq -y update diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 536ced0..9a07daf 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -52,6 +52,10 @@ if [ "$BUILD_KERNEL" = true ] ; then if [ "$KERNEL_THREADS" = "1" ] && [ -r /proc/cpuinfo ] ; then KERNEL_THREADS=$(grep -c processor /proc/cpuinfo) fi + + if [ "$ENABLE_QEMU" = true ] && [ "$KERNEL_ARCH" = arm64 ]; then + cp "${KERNEL_DIR}"/arch/arm/configs/vexpress_defconfig "${KERNEL_DIR}"/arch/arm64/configs/ + fi # Configure and build kernel if [ "$KERNELSRC_PREBUILT" = false ] ; then @@ -98,7 +102,7 @@ if [ "$BUILD_KERNEL" = true ] ; then #Switch to KERNELSRC_DIR so we can use set_kernel_config cd "${KERNEL_DIR}" || exit - if [ "$KERNEL_ARCH" = arm64 ] ; then + if [ "$KERNEL_ARCH" = arm64 ] && [ "$ENABLE_QEMU" = false ]; then #Fix SD_DRIVER upstream and downstream mess in 64bit RPIdeb_config # use correct driver MMC_BCM2835_MMC instead of MMC_BCM2835_SDHOST - see https://www.raspberrypi.org/forums/viewtopic.php?t=210225 set_kernel_config CONFIG_MMC_BCM2835 n @@ -110,7 +114,7 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_IPVLAN m fi - # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap + # enable ZSWAP see https://askubuntu.com/a/472227 or https://wiki.archlinux.org/index.php/zswap if [ "$KERNEL_ZSWAP" = true ] ; then set_kernel_config CONFIG_ZPOOL y set_kernel_config CONFIG_ZSWAP y @@ -118,13 +122,15 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_Z3FOLD y set_kernel_config CONFIG_ZSMALLOC y set_kernel_config CONFIG_PGTABLE_MAPPING y - set_kernel_config CONFIG_LZO_COMPRESS y + set_kernel_config CONFIG_LZO_COMPRESS y fi # enable basic KVM support; see https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=210546&start=25#p1300453 - if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then - set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y + if [ "$KERNEL_VIRT" = true ] && { [ "$RPI_MODEL" = 2 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then + set_kernel_config CONFIG_SLAB_FREELIST_RANDOM=y + set_kernel_config CONFIG_SLAB_FREELIST_HARDENED=y + set_kernel_config CONFIG_HAVE_KVM_IRQCHIP y set_kernel_config CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL y set_kernel_config CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT y set_kernel_config CONFIG_HAVE_KVM_EVENTFD y @@ -142,18 +148,17 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_VHOST_CROSS_ENDIAN_LEGACY y set_kernel_config CONFIG_VHOST_NET m set_kernel_config CONFIG_VIRTUALIZATION y - - set_kernel_config CONFIG_MMU_NOTIFIER y - - # erratum - set_kernel_config ARM64_ERRATUM_834220 y - - # https://sourceforge.net/p/kvm/mailman/message/18440797/ - set_kernel_config CONFIG_PREEMPT_NOTIFIERS y - fi + set_kernel_config CONFIG_MMU_NOTIFIER y + + # erratum + set_kernel_config ARM64_ERRATUM_834220 y + + # https://sourceforge.net/p/kvm/mailman/message/18440797/ + set_kernel_config CONFIG_PREEMPT_NOTIFIERS y + fi # enable apparmor,integrity audit, - if [ "$KERNEL_SECURITY" = true ] ; then + if [ "$KERNEL_SECURITY" = true ] ; then # security filesystem, security models and audit set_kernel_config CONFIG_SECURITYFS y @@ -211,12 +216,11 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y - set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n - set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m - set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096 + set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS m + set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE 4096 set_kernel_config CONFIG_ARM64_CRYPTO y set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m @@ -326,11 +330,11 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_NF_LOG_IPV6 m set_kernel_config CONFIG_NF_NAT_IPV4 m set_kernel_config CONFIG_NF_NAT_IPV6 m - set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 m - set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 m + set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV4 y + set_kernel_config CONFIG_NF_NAT_MASQUERADE_IPV6 y set_kernel_config CONFIG_NF_NAT_PPTP m set_kernel_config CONFIG_NF_NAT_PROTO_GRE m - set_kernel_config CONFIG_NF_NAT_REDIRECT m + set_kernel_config CONFIG_NF_NAT_REDIRECT y set_kernel_config CONFIG_NF_NAT_SIP m set_kernel_config CONFIG_NF_NAT_SNMP_BASIC m set_kernel_config CONFIG_NF_NAT_TFTP m @@ -340,16 +344,32 @@ if [ "$BUILD_KERNEL" = true ] ; then set_kernel_config CONFIG_NF_TABLES_ARP m set_kernel_config CONFIG_NF_TABLES_BRIDGE m set_kernel_config CONFIG_NF_TABLES_INET m - set_kernel_config CONFIG_NF_TABLES_IPV4 m - set_kernel_config CONFIG_NF_TABLES_IPV6 m + set_kernel_config CONFIG_NF_TABLES_IPV4 y + set_kernel_config CONFIG_NF_TABLES_IPV6 y set_kernel_config CONFIG_NF_TABLES_NETDEV m + set_kernel_config CONFIG_NF_TABLES_SET m + set_kernel_config CONFIG_NF_TABLES_INET y + set_kernel_config CONFIG_NF_TABLES_NETDEV y + set_kernel_config CONFIG_NFT_CONNLIMIT m + set_kernel_config CONFIG_NFT_TUNNEL m + set_kernel_config CONFIG_NFT_SOCKET m + set_kernel_config CONFIG_NFT_TPROXY m + set_kernel_config CONFIG_NF_FLOW_TABLE m + set_kernel_config CONFIG_NFT_FLOW_OFFLOAD m + set_kernel_config CONFIG_NF_FLOW_TABLE_INET m + set_kernel_config CONFIG_NF_TABLES_ARP y + set_kernel_config CONFIG_NF_FLOW_TABLE_IPV4 y + set_kernel_config CONFIG_NF_FLOW_TABLE_IPV6 y + set_kernel_config CONFIG_NF_TABLES_BRIDGE y + set_kernel_config CONFIG_NF_CT_NETLINK_TIMEOUT m + set_kernel_config CONFIG_NFT_OSF m fi # Enables BPF syscall for systemd-journald see https://github.com/torvalds/linux/blob/master/init/Kconfig#L848 or https://groups.google.com/forum/#!topic/linux.gentoo.user/_2aSc_ztGpA if [ "$KERNEL_BPF" = true ] ; then - set_kernel_config CONFIG_BPF_SYSCALL y - set_kernel_config CONFIG_BPF_EVENTS y - set_kernel_config CONFIG_BPF_STREAM_PARSER y + set_kernel_config CONFIG_BPF_SYSCALL y + set_kernel_config CONFIG_BPF_EVENTS y + set_kernel_config CONFIG_BPF_STREAM_PARSER y set_kernel_config CONFIG_CGROUP_BPF y fi @@ -537,19 +557,27 @@ if [ "$BUILD_KERNEL" = true ] ; then fi else # BUILD_KERNEL=false - if [ "$SET_ARCH" = 64 ] && { [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; } ; then - - # Use Sakakis modified kernel if ZSWAP is active - if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then - RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}" - fi + if [ "$SET_ARCH" = 64 ] ; then + if [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then + # Use Sakakis modified kernel if ZSWAP is active + if [ "$KERNEL_ZSWAP" = true ] || [ "$KERNEL_VIRT" = true ] || [ "$KERNEL_NF" = true ] || [ "$KERNEL_BPF" = true ] ; then + RPI3_64_KERNEL_URL="${RPI3_64_BIS_KERNEL_URL}" + fi - # Create temporary directory for dl - temp_dir=$(as_nobody mktemp -d) + # Create temporary directory for dl + temp_dir=$(as_nobody mktemp -d) - # Fetch kernel dl - as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" + # Fetch kernel dl + as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI3_64_KERNEL_URL" + fi + if [ "$SET_ARCH" = 64 ] && [ "$RPI_MODEL" = 4 ] ; then + # Create temporary directory for dl + temp_dir=$(as_nobody mktemp -d) + # Fetch kernel dl + as_nobody wget -O "${temp_dir}"/kernel.tar.xz -c "$RPI4_64_KERNEL_URL" + fi + #extract download tar -xJf "${temp_dir}"/kernel.tar.xz -C "${temp_dir}" @@ -566,15 +594,15 @@ else # BUILD_KERNEL=false chown -R root:root "${R}/lib/modules" fi - # Install Kernel from hypriot comptabile with all Raspberry PI - if [ "$SET_ARCH" = 32 ] ; then + # Install Kernel from hypriot comptabile with all Raspberry PI (dunno if its compatible with RPI4 - better compile your own kernel) + if [ "$SET_ARCH" = 32 ] && [ "$RPI_MODEL" != 4 ] ; then # Create temporary directory for dl temp_dir=$(as_nobody mktemp -d) # Fetch kernel as_nobody wget -O "${temp_dir}"/kernel.deb -c "$RPI_32_KERNEL_URL" - # Copy downloaded U-Boot sources + # Copy downloaded kernel package mv "${temp_dir}"/kernel.deb "${R}"/tmp/kernel.deb # Set permissions diff --git a/bootstrap.d/15-rpi-config.sh b/bootstrap.d/15-rpi-config.sh index b7a8684..9b717d0 100644 --- a/bootstrap.d/15-rpi-config.sh +++ b/bootstrap.d/15-rpi-config.sh @@ -112,7 +112,7 @@ if [ "$ENABLE_TURBO" = true ] ; then echo "boot_delay=1" >> "${BOOT_DIR}/config.txt" fi -if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then +if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ]; then # Bluetooth enabled if [ "$ENABLE_BLUETOOTH" = true ] ; then @@ -126,8 +126,8 @@ if [ "$RPI_MODEL" = 0 ] || [ "$RPI_MODEL" = 3 ] || [ "$RPI_MODEL" = 3P ] ; then mv "${temp_dir}/pi-bluetooth" "${R}/tmp/" # Bluetooth firmware from arch aur https://aur.archlinux.org/packages/pi-bluetooth/ - as_nobody wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth - as_nobody wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd + wget -q -O "${R}/tmp/pi-bluetooth/LICENCE.broadcom_bcm43xx" https://aur.archlinux.org/cgit/aur.git/plain/LICENCE.broadcom_bcm43xx?h=pi-bluetooth + wget -q -O "${R}/tmp/pi-bluetooth/BCM43430A1.hcd" https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/master/broadcom/BCM43430A1.hcd # Set permissions chown -R root:root "${R}/tmp/pi-bluetooth" diff --git a/bootstrap.d/20-networking.sh b/bootstrap.d/20-networking.sh index f80f006..a1213db 100644 --- a/bootstrap.d/20-networking.sh +++ b/bootstrap.d/20-networking.sh @@ -106,7 +106,7 @@ if [ "$ENABLE_WIRELESS" = true ] ; then temp_dir=$(as_nobody mktemp -d) # Fetch firmware binary blob for RPI3B+ - if [ "$RPI_MODEL" = 3P ] ; then + if [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then # Fetch firmware binary blob for RPi3P as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.bin" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.bin" as_nobody wget -q -O "${temp_dir}/brcmfmac43455-sdio.txt" "${WLAN_FIRMWARE_URL}/brcmfmac43455-sdio.txt" diff --git a/bootstrap.d/43-videocore.sh b/bootstrap.d/43-videocore.sh index 344965c..b0d7a58 100644 --- a/bootstrap.d/43-videocore.sh +++ b/bootstrap.d/43-videocore.sh @@ -34,11 +34,11 @@ if [ "$ENABLE_VIDEOCORE" = true ] ; then cd "${R}"/tmp/userland/build if [ "$RELEASE_ARCH" = "arm64" ] ; then - cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland" + cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/aarch64-linux-gnu.cmake -DARM64=ON -DCMAKE_C_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_CXX_COMPILER=aarch64-linux-gnu-g++ -DCMAKE_ASM_COMPILER=aarch64-linux-gnu-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland" fi if [ "$RELEASE_ARCH" = "armel" ] ; then - cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland" + cmake -DCMAKE_SYSTEM_NAME=Linux -DCMAKE_BUILD_TYPE=release -DCMAKE_TOOLCHAIN_FILE="${R}"/tmp/userland/makefiles/cmake/toolchains/arm-linux-gnueabihf.cmake -DCMAKE_C_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_CXX_COMPILER=arm-linux-gnueabi-g++ -DCMAKE_ASM_COMPILER=arm-linux-gnueabi-gcc -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -U_FORTIFY_SOURCE" -DCMAKE_ASM_FLAGS="${CMAKE_ASM_FLAGS} -c" -DCMAKE_SYSTEM_PROCESSOR="arm" -DVIDEOCORE_BUILD_DIR="${R}" "${R}/tmp/userland" fi if [ "$RELEASE_ARCH" = "armhf" ] ; then diff --git a/bootstrap.d/44-nexmon_monitor_patch.sh b/bootstrap.d/44-nexmon_monitor_patch.sh index 5a260a2..1dc17b1 100644 --- a/bootstrap.d/44-nexmon_monitor_patch.sh +++ b/bootstrap.d/44-nexmon_monitor_patch.sh @@ -74,7 +74,7 @@ if [ "$ENABLE_NEXMON" = true ] && [ "$ENABLE_WIRELESS" = true ]; then cp -f "${NEXMON_ROOT}"/patches/bcm43430a1/7_45_41_46/nexmon/brcmfmac43430-sdio.bin "${WLAN_FIRMWARE_DIR}"/brcmfmac43430-sdio.bin fi - if [ "$RPI_MODEL" = 3P ] ; then + if [ "$RPI_MODEL" = 3P ] || [ "$RPI_MODEL" = 4 ] ; then cd "${NEXMON_ROOT}"/patches/bcm43455c0/7_45_154/nexmon || exit sed -i -e 's/all:.*/all: $(RAM_FILE)/g' ${NEXMON_ROOT}/patches/bcm43455c0/7_45_154/nexmon/Makefile make clean diff --git a/rpi23-gen-image.sh b/rpi23-gen-image.sh index b07beb1..27e0936 100755 --- a/rpi23-gen-image.sh +++ b/rpi23-gen-image.sh @@ -470,7 +470,7 @@ if [ -n "$MISSING_PACKAGES" ] ; then [ "$confirm" != "y" ] && exit 1 # Make sure all missing required packages are installed - apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"` + apt-get update && apt-get -qq -y install `echo "${MISSING_PACKAGES}" | sed "s/ //"` fi # Check if ./bootstrap.d directory exists